Taming the Elephant: Publicly Auditable Yet Privacy-Preserving Electoral Rolls
Prashant Agrawal, Research Assistant at Ashoka’s Centre for Digitisation, AI, and Society, along with his co-authors, has proposed a protocol that ensures both secure and fair elections. His innovative approach facilitates public audits of electoral rolls while preserving voter privacy, using encrypted data and statistical sampling to prevent voter profiling and establish a new standard in election security.
Prashant Agrawal
10 September, 2024 | 5m readElection security is a critical concern. While much of the focus is on securing the voting process, electronic voting machines (EVMs) and backend systems, the security and privacy of electoral rolls, or voter lists, are often overlooked. The months-long voter registration process is vulnerable to both administrative errors and active manipulation. Common issues include the addition of ineligible voters, the malicious removal of eligible voters, and duplicate entries. Making electoral rolls public is a common approach to ensure integrity through public audits. However, this raises significant privacy concerns, as voter lists contain sensitive information that can be exploited for targeted manipulation in elections.
Prashant Agrawal, a Research Assistant at Ashoka University’s Centre for Digitisation, AI, and Society, along with his co-authors, has proposed a protocol that provides public auditability of electoral rolls while maintaining voter privacy. This protocol addresses various threats, including electoral roll manipulation, ballot stuffing, voter denials, and privacy violations. This secure electoral roll protocol eliminates the need for a trusted authority to issue eligibility credentials. Instead, it relies on legally mandated criteria such as age and citizenship to determine voter eligibility. It also eliminates the need for voters to safeguard any secrets, allowing them to participate “bare-handed.”
The core idea is to publish an electoral roll with encrypted voter identity information and then decrypt and verify a small random sample of these entries. Statistical sampling provides strong guarantees that any large-scale eligibility fraud would be detected efficiently. For an election with million voters, verifying just a few thousand entries is typically sufficient. This approach also prevents voter profiling by revealing the identity information of only a small fraction of random voters.
However, statistical sampling alone cannot detect duplicate entries in the electoral roll. Deduplication is a challenging issue and although systems like Aadhaar exist, their deduplication processes are not publicly verifiable. Nevertheless, even with a trusted deduplicated identity system like Aadhaar, directly using it for electoral processes could compromise voter privacy. Therefore, the proposed protocol introduces a secondary, election-specific identity that is unlinkable to the primary identity system yet retains its deduplication guarantees, ensuring both voter privacy and electoral integrity.
Even with a completely accurate electoral roll, there is no guarantee that votes are recorded only against the names of voters who actually cast their votes. To prevent ballot stuffing, the protocol incorporates a secure liveness detection mechanism, such as capturing a facial photograph of the voter holding a specific placard, attested by a trusted hardware execution module. Alternative liveness detection methods from computer vision literature can also be employed.
Finally, the protocol addresses the issue of eligible voters being wrongly denied registration or the opportunity to vote. Both registration and vote casting are conducted under public oversight, with all voters receiving appropriate receipts. These receipts allow voters to partially verify their validity on the spot, and the correctness of denial decisions can be audited by an independent auditor without revealing voters’ sensitive identity information. A random sample of voters verifying their receipts ensures protection against large-scale voter denials while maintaining privacy.
In conclusion, the proposed protocol offers practical protection against electoral roll manipulation, ballot stuffing, and various attacks on voter privacy. It is highly efficient, requiring, for example, the verification of only about 2,500 random voters out of a million to detect eligibility fraud rates of 2% or higher, while exposing the identity information of at most 1% of voters. By ensuring that electoral rolls are both verifiable and privacy-preserving, this protocol sets a new standard for secure and fair elections.
Ref Article:
Publicly Auditable Privacy-Preserving Electoral Rolls
https://www.computer.org/csdl/proceedings-article/csf/2024/620300a217/1ZNjqNtdU3u
https://arxiv.org/abs/2402.11582
Authors:
Prashant Agrawal, Mahabir Prasad Jhanwar, Subodh Vishnu Sharma, Subhashis Banerjee
Edited by Yukti Arora and Kangna Verma, Academic Communication, RDO, Ashoka University